Next you compare it with a value of 0x02 which has 2nd bit set to find out if the original bit was set in the first place. By anding tcp with a mask 0x02 you drop all elements except the second bit from the right. dst portrange 80-1024 - capture traffic going to ports 80-1024 src portrange 40000-50000 - capture traffic coming from ports 40k - 50k Specifying protocols tcp - capture TCP traffic udp - capture UDP traffic icmp - capture ICMP traffic arp - capture ARP traffic Combining multiple primitives dst port 80 or dst host 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10 dst port 80 and (src host 192.168.1.11 or src host 192.168.1.12) - capture traffic going to port 80 and coming from either 192.168.1.11 or 192.168.1.12 not dst port 80 and not dst host 192.168.1.10 - skip traffic destined for port 80 or 192.168.1.10 Byte Offset Filtering icmp=8 or icmp=0 – look at the first byte of ICMP packets and capture types 8(echo) and 0(echo reply) tcp=80 and tcp=0x02 – capture packets coming from port 80 (first 2 bytes) with SYN flag (0x02) tcp & 0x02 = 2 – capture packets with SYN flag present (other flags could also exist like 0x12 SYN-ACK will work). Tcpdump man pages include complete filter syntax however, here are some of the more useful ones: Specifying hosts host 192.168.1.10 - capture traffic with source or destination is 192.168.1.10 dst host 192.168.1.10 - capture traffic with destination host is 192.168.1.10 src host 192.168.1.10 - capture traffic where source is 192.168.1.10 Specifying networks net 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 dst net 192.168.1.0 mask 255.255.255.0 - capture traffic destined for 192.168.1.0/24 network src net localnet - capture traffic coming from local network network Specifying ports port 80 - capture traffic to or from port 80 (source port 22 and destination port 50000 will be captured.
This will clean up the timestamp and avoid name resolution: tcpdump -ttttnnr capture.pcap "host 192.168.1.10 It is recommended to use the following commandline to speed up reading existing pcap files. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter: tcpdump -r capture.pcap "host 192.168.1.10" In case you need to filter a previously saved pcap file (e.g. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10: tcpdump -i eth0 -ttttnn "host 192.168.1.10" To include a filter append a quoted filter string in the command line. Tcpdump can be configured to only capture traffic according to specified filter.
There are several tools and techniques used to simplify searching and extraction of useful data from captured data. Packet filtering is an important skill when capturing and managing large network dumps.
0 kommentar(er)
